Network World

Security Strategies Alert

Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.

Search Security Strategies Alert Security news and resources from Network World.

CSIRT Management: Lessons from Other Group Postmortems (Part 2): 07/06/09; In Week 9 of the 11-week course on Computer Security Incident Response Team Management that I taught in summer 2008, one of the weekly discussion questions was as follows:
CSIRT Management: Lessons from other group postmortems: 07/01/09; My favorite graduate course in the Norwich University Master of Science in Information Assurance Program is the "Computer Security Incident Response Team Management" graduate seminar which I developed some years ago based in part on an extensive series of articles on the subject that appeared here in the Network World Security Strategies and that I collected for readers in a single document freely available on my Web site along with a free companion CD-ROM from the Defense Information Systems Agency on the subject.
Iran, disintermediation and cyberwar: 06/29/09; With some justification, skeptics have questioned whether cyberwar is a realistic scenario for concern or merely a scary story to earn funding for security companies and writers. Unfortunately, there are many cases in which journalists and others have leaped to the conclusion that security breaches are examples of cyberwar; recent examples include the Estonian "cyberwar" of 2007 and the attacks on the Church of Scientology in early 2009.
Subtle pressures for security policy compliance: 06/24/09; Information security officers and managers are constantly looking for ways to encourage colleagues to comply with security policies. The paper "Social Psychology and INFOSEC: Psycho-Social Factors in the Implementation of Information Security Policy" summarizes a number of principles from social psychology that can help practitioners in our work.
Working with consultants part 4: 06/22/09; One test you can apply to judge the professionalism of a prospective consultant is to ask her to identify the limits of her professional competence. A professional consultant will clearly identify the limits of her knowledge.
Working with consultants part 3: 06/17/09; When you have chosen your consultant, prepare an action plan that defines what you both plan to do, by when and how you will know when to stop using their services.
Working with consultants: 06/15/09; When the client and consultant are discussing problems and how the consultant could help, both parties must be conscious that a consultant always has two allegiances: to the manager hiring her and to the firm employing the manager.
Working with consultants: 06/10/09; One of the great developments of evolution and of civilization was specialization or the division of labor: allowing individuals to become really good at specific tasks without having to worry about all the other kinds of activity required to support life.
Consensus metrics for information security: 06/08/09; On May 20, 2008, the Center for Internet Security (CIS) announced the public release of a set of metrics for information security. The organization is dedicated to helping "organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. Click Here to learn more about CIS's mission." Their charter was last updated in 2002 and is fully described online.
Quality control, data integrity, and the silly season: 06/03/09; Every now and then we read about errors that we just have to laugh at. And now and then I get tired of writing serious columns. So today, either indulge me or just ignore this contribution altogether.
Dr. Johnston's Security Maxims: Sense and Humor: 06/01/09; Having graduate students is like having a thousand sets of eyes and ears: they are always noticing neat stuff and sending pointers that stimulate thought or – as often – cause delighted laughter.
Security metrics research: 05/27/09; One of the most difficult aspects of managing risk in information assurance (IA) is that our statistical information is so poor. We don't know about security breaches that we have not noticed; we don't report all the breaches that we do notice to any central collection point; and we use dreadful methodology for collecting information using poorly-constructed surveys that have tiny percentages of respondents, no internal validation, and no follow-up verification.
Phishing using scary bait: 05/22/09; Job offers in phishing e-mail are designed to trick users into revealing confidential personally identifiable information (PII); they may also be hoping to fool victims into sending criminals some money.
iPhone Security, Part 2: 05/20/09; Steinberger: Based on my personal observation and analysis, the main security constraints imposed by the iPhone Operating System are as follows.
iPhone security, Part 1: 05/19/09; My friend and colleague Adjunct Professor Richard Steinberger from the MSIA Program at Norwich University sent me an e-mail note recently about the interesting security model used by Apple for its mobile devices. I invited him to expand on his thoughts and am delighted to present his analysis today. Everything that follows is entirely Ric’s work with minor edits.
Implications of proposed Cybersecurity Act of 2009, Part 2: 05/13/09; Garamella: An effective attack could disrupt or disable elements such as public utilities, including power, water and gas. Ground and air traffic control systems are also potential targets. These critical elements warrant no less protection than defense, finance and healthcare. There is a proliferation of data breaches from all sectors of the cyber infrastructure. Left alone, this situation will only get worse.
Implications of proposed Cybersecurity Act of 2009, Part 1: 05/11/09; Legislators mean well, but their proposals for regulation of areas that depend on technical expertise always make my hackles rise - even before I've read the details. One of these cases is the occasion for today's and our next columns.
Increasing Internet security for average users: 05/07/09; Boyle: One day, while working hard as the chief information security officer at an insurance company, I realized that much of our organization's network security was in the hands of ordinary users of our computers. No matter how much my team did to safeguard our customers' confidential data, no matter how much money we spent on our mission, all it would take was one average Internet-using employee to cause major damage, either deliberately or accidentally.
IA career development: Need for IA professionals will grow: 05/05/09; We will see increasing integration of information assurance into the strategic thinking of organizations as managers realize that the economic downturn increases pressures for illegality. Employees and managers who are desperate for continued employment may find their ethical standards weakening; we already have documented cases from past years of employees and managers who have broken into competitors' systems to acquire competitive intelligence or to steal intellectual property that will yield an immediate economic advantage to their current employers. How many more will we see as they contemplate the specter of job loss?
Locking out users gives attackers a tool for denial of service: 04/30/09; When I was a lad (OK, when I was a young systems engineer of 30 - which is 30 years ago), I was taught that if a user made several mistakes in entering her password, the system should lock her account until a system operator granted access again. The goal was to stop an attacker from guessing at a user’s password without limit.
Guide to enterprise password management drafted: 04/28/09; I hate passwords. I think passwords are a dreadful way of authenticating identity: they cost a lot, they change too often (and so users write them down), the rules for preventing dictionary and brute-force attacks are generally easy for users to circumvent, there are too many of them (and so users write them... oh never mind), and nothing can stop users from writing them down (and sticking them in their wallets, under their keyboards, behind their screens, in their desk drawers...). And yet we constantly hear non-technical managers resisting smart-token-based authentication or proximity cards because they are supposedly too expensive.
Flaws in 'Internet SAFETY' bill: 04/23/09; Friend and colleague Robert Gezelter points to serious deficiencies in the thinking behind legislation currently under consideration in the House and Senate.
The state of spam 2009, Part 4: 04/21/09; Jamie de Guerre, CTO of Cloudmark, talks about the latest antispam technologies coming out of Cloudmark's research labs.
The state of spam 2009, Part 3: 04/16/09; Cloudmark CTO Jamie de Guerre continues his response to the question of what has changed in the battle against spam in the last year, discussing free content-hosting services, compromised accounts at Webmail providers and new-media spam.
The state of spam 2009, Part 2: 04/14/09; Cloudmark CTO Jamie de Guerre: I think there have been several changes and a couple of events that happened in the past year that are interesting and will have an effect on how spam is sent in the coming year.